Indicators of compromise from the snowshoe phishing campaign documented in Footprints in the Snow. All IOCs from direct observation on the targeted mailbox and live page capture, compiled June 2, 2026.
#Sending Infrastructure
| IOC Type |
Value |
Notes |
| IP range |
104.243.247.0/24 |
vititude.com rDNS, AS9009 (M247) |
| IP range |
102.135.108.0/24 |
grantrank.com rDNS, AS55154 |
| IP range |
93.92.72.0/24 |
usofcode.com rDNS, AS44793 |
| Abuse email |
admin@pointtoserver.com |
Shared across ARIN + AFRINIC blocks |
| ARIN org |
Secure Internet LLC / "Internet Security - US OH" |
Parent: NetName PUREVPN |
| ARIN contact |
Uzair Gadit (GADIT3-ARIN) |
Phone: +1-217-651-4225 |
| AFRINIC org |
"internet-secuirty" (sic) |
Country: SC (Seychelles) |
| RIPE org |
Amuser Telco / AlliumTech |
Country: IT, abuse: abuse@cloudvox.it |
#Email Kit Signatures
| IOC Type |
Value |
Notes |
| Forged header |
X-Spam-Score: -6 |
Injected by content stage; inconsistent with real score |
| Forged header families |
X-Milter-ID, X-Milter-Id, X-Amavis-Alert-Id, X-Scanner-Trace-Id, X-Scan-Chain-Id, X-Mailer-Trace, X-Mime-Parse-ID |
Disguised per-send trace tokens |
| MIME boundary families |
=forge.*, ==rail-*_<Codename>, ==node_<hex>-<rand>.MailPart-<n>, -arc=_TextBoundary-Spool |
Multiple boundary generators |
| Prompt scaffold |
=== SECTION === structure with sections: Prompt brief/Assignment, Variation profile/Creative route, Freshness/Divergence rules, Creative hints/Prompt steering, Final output/Return rules |
Byte-identical boilerplate across leaked prompts |
| Hidden text spec |
"Inbox-placement hidden text (MANDATORY)" |
Bayesian poisoning; source of "I meant to reply sooner..." filler |
| CSS hiding list |
~35 entries randomized per block: font-size:0, display:none, clip-path:inset(100%), position:absolute;left:-9999px, transform:scale(0), etc. |
Defeats single-pattern hidden-text detectors |
| CTA path vocabulary |
scope, vector, signal, wire, relay, junction, channel, anchor, pulse, feed, desk, brief, openlatest, followalong, roundupdesk |
Cross-domain kit fingerprint |
| Display-name typosquats |
WaImart (capital I for lowercase L) |
Brand impersonation |
| CTA token pattern |
Redeem Your 1OO.OO Card (letter O for zero) |
Content-filter dodge |
| Run seed format |
32-hex string per generation |
Polymorphism seed |
#Front Domains (Sample)
231 total unique domains across 248 sends. Full list available on request.
| IOC Type |
Value |
Notes |
| TLD distribution |
.com (61), .bond (41), .lat (38), .garden (32), .living (30), .lol (11), .world (9), .blog (5), .homes (3), .org (1) |
74% cheap new-gTLDs |
| Domain construction |
Two concatenated dictionary words on cheap TLDs |
DGA-flavored bulk registration |
| Unsubscribe subdomains |
ww0.-ww9. and random 3-char mixed-case (Aus., DTq., kQM.) |
Two families; ww[0-9]\. is distinctive |
#TDS / Traffic Distribution
| IOC Type |
Value |
Notes |
| TDS domain |
surveysreswards[.]com |
Typosquat of "surveys rewards" |
| TDS tracking domain |
insighthepanel[.]com (t2.insighthepanel[.]com in oho param) |
Operator's click-tracking panel |
| Registrar |
Internet Domain Service BS Corp (internet.bs) |
Same for both TDS domains |
| Privacy |
Whois Privacy Corp, Nassau, Bahamas |
Same for both |
| CF nameservers |
crystal/wesley.ns.cloudflare.com (surveysreswards), ryleigh/toby.ns.cloudflare.com (insighthepanel) |
Different CF accounts |
| CF analytics token |
7092b83116ff4010907be780fcec704d |
In beacon on TDS source; ties all TDS traffic to one Cloudflare account |
| Affiliate tag |
utm_source=cts |
On ExpressVPN redirect for scanner traffic |
#Scam Kit
| IOC Type |
Value |
Notes |
| Kit root path |
/template-mb/ |
In base64-encoded baci params |
| Kit JS |
myscript_11.js |
Main script |
| Asset path |
survey_us_d/ |
On CloudFront |
| CloudFront dist |
d3e1y4kqljcb.cloudfront.net, d3e1y4kxkqljcb.cloudfront.net |
Kit asset CDN |
| Config object |
window.surveyConfig |
Contains target brand, questions JSON path, offers JSON path, timer |
| Brand target |
"target":"wlm" |
Walmart; configurable per brand |
| CPA pub ID |
c=|77328 |
Publisher ID in downstream CPA network |
| Campaign ID |
s=1938 |
Internal campaign tracking |
| Creative ID |
cr=opfxx3 |
Internal creative/variant code |
| Anti-indexing |
<meta name="robots" content="noindex, nofollow, noarchive"> |
Hides from search engines |
#Cloaking Behavior
| Visitor Profile |
Response |
| urlscan.io (scanner IP) |
204 No Content or 302 to expressvpn.com/?utm_source=cts |
| View-source on live page |
ExpressVPN homepage HTML (legitimate site as shell) |
| Rendered DOM on live page |
Walmart survey scam kit (injected client-side via JS) |
| Real browser on mobile carrier IP |
Full scam page with survey, fake comments, CC harvesting form |